RE: Updating libxml2 in poudriere jail

Reply: Simon Wright : "Re: Updating libxml2 in poudriere jail"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Millard <marklmi_at_yahoo.com>
Date: Mon, 08 May 2023 04:40:13 UTC
Simon Wright <simon.wright_at_gmx.net> wrote on
Date: Mon, 08 May 2023 01:36:45 UTC :

> I am using poudriere to build a small selection of posts with
> non-default options. This is working fine, however for the daily
> security run on the VM that runs poudriere, I am seeing this warning:
> 
> =======================
> Checking for security vulnerabilities in base (userland & kernel):
> Database fetched: Sun May 7 03:40:24 PST 2023
> 0 problem(s) in 0 installed package(s) found.
> 0 problem(s) in 0 installed package(s) found.
> portaudit for jails on vmserver04 - 2 problem(s) found.
> 
> portaudit for jail: pkg.home.santos-wright.net (JID: 10)
> 
> libxml2-2.10.3_2 (textproc/libxml2) is vulnerable:
> libxml2 -- multiple vulnerabilities
> CVE: CVE-2023-29469
> CVE: CVE-2023-28484
> WWW:
> https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html
> 
> 1 problem(s) found.
> 
> portaudit for jail: pkg.home.santos-wright.net (JID: 8)
> 
> libxml2-2.10.3_2 (textproc/libxml2) is vulnerable:
> libxml2 -- multiple vulnerabilities
> CVE: CVE-2023-29469
> CVE: CVE-2023-28484
> WWW:
> https://vuxml.FreeBSD.org/freebsd/0bd7f07b-dc22-11ed-bf28-589cfc0f81b0.html
> 
> 1 problem(s) found.
> 
> ======================
> 
> I have tried updating the jail which works but finds no updates since it
> is already on the latest security release:
> 
> [user /etc/periodic/daily]$ sudo poudriere jail -j FreeBSD:13:amd64 -u
> [sudo] Enter user's password:
> [00:00:00] Upgrading using ftp
> Looking up update.FreeBSD.org mirrors... 2 mirrors found.
> Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org...
> done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> 
> No updates needed to update system to 13.2-RELEASE-p0.
> 13.2-RELEASE
> [00:00:10] Recording filesystem state for clean... done

I'm confused. textproc/libxml2 is not part of any 13.2-RELEASE-p*
and so would not be updated by an update to 13.2-RELEASE-p* .

> ======================
> 
> I've tried manually starting the jail, installing pkg and updating
> libxml2 which works but on restarting the jail, it has as expected
> reverted to the vulnerable version of libxml2.

It is important for poudriere operation that the jail(s) it
uses not have packages pre-installed. That can interfere with
poudriere building ports into packages and/or with installing
them as needed. (Messing up detection of what is missing and,
so, needs to be built or installed.) poudriere bulk should do
all its own package installations for use in all builders as
I understand things.

> Can anyone point me in the right direction to eliminate the error
> message on the daily security scan? Or can I remove this package from
> the jail?


If you have packages that look to be installed in jail(s)
even when poudriere is not doing the likes of a bulk build
(or related), then I suggest uninstalling such. Even if
such is not a (full) fix of the overall issue, as far as
I know, pre-installed packages are not a valid/general
solution to anything for poudriere bulk operation.


===
Mark Millard
marklmi at yahoo.com